Privacy Policy
Last updated: 2026-07-04
At VitaScribe Inc., your privacy and data security are central to our mission. This Privacy Policy explains what data we collect, how we collect it, how we use it, who we share it with — including Microsoft Azure services used to provide secure transcription and AI-assisted documentation — and the choices and rights you have. It applies to the VitaScribe mobile app and our websites, and describes how we protect personal health information (PHI) and user data in compliance with applicable laws, including PHIPA (Ontario), PIPEDA (Canada), and HIPAA (USA).
By using VitaScribe, you agree to this Privacy Policy.
1. Who This Policy Applies To
This Policy applies to:
- Licensed healthcare professionals and their authorized staff;
- Healthcare organizations using VitaScribe;
- Patients whose PHI may be processed through the Service.
2. Information We Collect
a) Personal Health Information (PHI)
Captured through encounter recording, transcription, AI-assisted documentation workflows, or manual clinician input, including:
- Clinical encounter audio and transcripts
- Clinical conversations, notes, observations, and generated documentation
- Patient identifiers and patient context supplied by the clinician
- Treatment, diagnosis, appointment, and care-plan information
b) User Information
- Names, professional credentials, and contact details
- Account and billing information
- Usage and activity logs
c) Technical and Device Data
- IP addresses, browser types, and device identifiers
- App version, device type, and diagnostic or error logs
- Performance and security logs
We collect this data directly from you when you create an account, configure settings, record a session, and enter patient information, and automatically through standard app and security logging.
3. Data Hosting and Security
- All PHI and personal data are stored and processed in your choice of Microsoft Azure datacenters in Canada or the United States.
- Microsoft provides compliance with PHIPA, PIPEDA, HIPAA, and ISO 27001, SOC 2, and CSA STAR certifications.
- VitaScribe employs encryption in transit and at rest, strict access controls, audit logs, and ongoing monitoring to protect data integrity and confidentiality.
4. How We Use the Information
We use data to:
- Provide and maintain the Service;
- Send encounter audio, transcripts, patient context, and generated documentation to Microsoft Azure where needed for secure hosting, storage, Azure AI Speech transcription, and Azure OpenAI Service-assisted clinical documentation;
- Generate transcripts, draft clinical notes, summaries, tasks, and related clinical workflow outputs for clinician review;
- Ensure compliance with applicable laws and healthcare standards;
- Support troubleshooting, auditing, and service analytics.
We never sell or rent PHI or user data to third parties, and we do not use recordings, transcripts, or generated notes to train third-party AI models.
5. Third-Party AI Services
VitaScribe uses third-party artificial intelligence services to transcribe clinical encounters and generate draft clinical documentation. Before any data is sent for AI processing, we tell you what will be shared and ask for your permission. We do not send data to these services without your consent.
a) What data is sent
- Clinical encounter audio recordings
- Transcripts of those recordings
- Patient context and clinical notes you provide for documentation
- The draft notes, summaries, and tasks generated for your review
b) Who the data is sent to
Data is processed by Microsoft Azure AI services — including Azure OpenAI Service and Azure AI Speech — operating as our AI subprocessor within the Microsoft Azure region you select (Canada or the United States). Your data is processed within that region and is not used to train Microsoft's or any third party's AI models. Microsoft processes this data under contractual confidentiality and security commitments (including a Business Associate Agreement for HIPAA, where applicable) that provide protections equivalent to those described in this Policy.
c) Your permission
The app discloses, before sharing, what data will be sent and who it will be sent to, and obtains your consent prior to transmitting any personal data to these AI services. You may decline, and you may delete your account and data at any time (see Section 7).
6. Consent and Legal Authority
Users are responsible for ensuring they have obtained valid patient consent or legal authority under PHIPA before transmitting PHI to VitaScribe.
7. Retention, Account Deletion, and Data Deletion
PHI is retained only as long as necessary to provide the Service or as required by law, regulation, or clinic-governed retention requirements. Some clinical and audit records may be retained when required by law or by your organization's policies, even after an account is deleted.
You can delete your account and personal data directly in the VitaScribe app under Settings → Delete account (also reachable from Settings → Privacy & Data). Account deletion is available to all users, including clinic-managed accounts. Deletion is permanent, subject to records we are legally required to retain.
You can permanently delete your account and personal data at any time, either from within the app (Settings → Delete account) or by submitting a request on our account deletion page. Account deletion is permanent; we delete your personal data from active systems and backups within 30 days, except for the limited data we are legally required to retain.
8. Access, Correction, and Requests
You can access and export your data in the app. Authorized users and healthcare organizations may also request access to or correction of PHI processed by VitaScribe. Please contact us using the details below.
9. Third-Party and Subprocessor Disclosure
To provide secure hosting, storage, transcription, and AI-assisted documentation, VitaScribe processes session and clinical data with Microsoft Azure, including:
- Azure cloud hosting and storage services, which store and protect account, session, audio, transcript, patient context, generated documentation, and audit data;
- Azure AI Speech and Azure OpenAI Service, which process encounter audio, transcripts, patient context, and generated documentation in order to produce transcripts, draft clinical notes, summaries, and tasks.
We process this data only to provide and support the Service. Before data is sent, the app discloses in-app what data is processed and identifies Microsoft Azure, Azure AI Speech, and Azure OpenAI Service as the service providers, and asks you to confirm patient consent. Microsoft provides safeguards that are the same as or equivalent to those described in this policy and processes the data only to perform services for VitaScribe. Data is not used to train third-party models.
We do not sell personal data, and we do not share it for advertising. Disclosure to law enforcement or regulators occurs only when legally required.
10. Children's Privacy
The Service is for healthcare professionals and not intended for direct use by individuals under 16. Any PHI involving minors must be handled by authorized healthcare providers.
11. Your Responsibilities
As a user, you must:
- Ensure compliance with PHIPA and your organization's privacy policies;
- Maintain secure devices and credentials;
- Notify us promptly of any suspected breach or unauthorized access.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. Continued use of the Service indicates acceptance of the updated policy.
Data Processing Addendum
Last updated: 2025-10-30
This Data Processing Addendum ("Addendum") forms part of the agreement between VitaScribe Inc. ("Processor" or "VitaScribe") and the healthcare organization or provider ("Covered Entity," "Clinic," or "Controller") that uses VitaScribe's AI documentation platform (the "Service").
This Addendum governs VitaScribe's processing of Personal Health Information (PHI) on behalf of the Clinic in accordance with the Personal Health Information Protection Act (PHIPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Health Insurance Portability and Accountability Act (HIPAA), as applicable.
1. Purpose and Scope
VitaScribe provides an AI-assisted documentation platform to help healthcare professionals record, transcribe, and structure clinical notes. In providing this Service, VitaScribe acts as a "health information network provider" or "agent" under PHIPA, processing PHI solely on behalf of the Clinic, which remains the custodian of the information.
2. Definitions
- "PHI" means Personal Health Information as defined under PHIPA.
- "Processing" means any operation performed on PHI, including storage, transmission, access, or analysis.
- "Subprocessor" means a third-party service provider engaged by VitaScribe to support the Service.
3. Roles and Responsibilities
- The Clinic remains the Health Information Custodian (HIC) under PHIPA.
- VitaScribe acts as an agent to the HIC, processing PHI only as directed by the Clinic and only for the purposes of providing and improving the Service.
- VitaScribe does not collect or use PHI for its own purposes.
4. Data Hosting and Security
- All PHI is stored, processed, and backed up in secure Microsoft Azure datacenters within your chosen region (Canada or United States).
- Microsoft acts as a subprocessor under a PHIPA-compliant and SOC 2/ISO-certified data protection framework.
- VitaScribe implements:
- Access controls and authentication mechanisms;
- Logging and monitoring of system activity;
- Role-based access for authorized personnel only.
5. Subprocessors
VitaScribe uses Microsoft Azure to assist in delivering the Service, including secure hosting, storage, transcription, AI documentation, monitoring, analytics, and support functions.
- Microsoft Azure may process PHI only to provide contracted hosting, storage, transcription, AI documentation, security, monitoring, analytics, or support services.
- VitaScribe requires Microsoft to provide confidentiality and security protections consistent with VitaScribe's healthcare privacy obligations.
- VitaScribe will notify the Clinic of any material changes to its PHI subprocessors.
6. Use and Disclosure
- VitaScribe will process PHI only for the purposes authorized by the Clinic and as necessary to provide the Service.
- VitaScribe will not sell, share, or disclose PHI except as required by law.
- Any legal request (e.g., subpoena or warrant) for PHI will be promptly communicated to the Clinic, unless prohibited by law.
7. Breach Notification
VitaScribe will:
- Notify the Clinic without undue delay (and in any case within 72 hours) upon becoming aware of any privacy breach involving PHI;
- Provide details of the breach, the affected data, and mitigation steps;
- Cooperate fully with the Clinic and regulatory authorities in any investigation or remediation.
8. Access, Correction, and Retention
- VitaScribe will assist the Clinic in fulfilling access and correction requests from individuals, as required under PHIPA.
- PHI will be retained only as long as necessary to provide the Service or as directed by the Clinic.
- Upon termination or written request, VitaScribe will securely delete or de-identify all PHI, unless retention is required by law.
9. Audit and Compliance
- VitaScribe maintains documentation of its security and privacy controls, available to the Clinic upon reasonable request.
- The Clinic may, no more than once per year, conduct or commission an audit or compliance review (subject to confidentiality and security obligations).
10. Liability
Each party remains responsible for its own compliance with PHIPA. VitaScribe's total liability for any breach of this Addendum shall not exceed the limits set out in the main Service Agreement, except where prohibited by law.
11. Term and Termination
This Addendum remains in effect as long as VitaScribe processes PHI on behalf of the Clinic. Upon termination, VitaScribe will securely delete or de-identify all PHI unless retention is legally required.
12. Governing Law
This Addendum is governed by and construed in accordance with the laws of Ontario and the laws of Canada applicable therein.
13. Contact Information
For questions, access requests, or complaints, contact:
VitaScribe Inc.
Email: privacy@vitascribe.io